Symantec Patches Endpoint

Friday, August 7, 2015 @ 06:08 PM gHale

Symantec patched vulnerabilities in its Endpoint Protection (SEP) 12.1.

An attacker could exploit vulnerabilities to gain access to an organization’s entire corporate network, said researchers at pen testing company Code White.

Leveraging OS X Zero Day
Workaround for .NET Bug
Zero Day for Apple App Store, iTunes
Mobile IE Zero Days

Code White found Symantec Endpoint Protection Manager (SEPM) has six vulnerabilities: An authentication bypass, three path traversals, a privilege escalation, and multiple SQL injections.

Researchers also found SEP clients also have a high severity binary planting flaw.

“In combination, [the vulnerabilities] effectively allow an unauthenticated attacker the execution of arbitrary commands with ‘NT Authority\SYSTEM’ privileges on both the SEP Manager (SEPM) server, as well as on SEP clients running Windows. That can result in the full compromise of a whole corporate network,” Code White researchers said in a blog post.

Full compromise of SEP clients can occur by exploiting the binary planting vulnerability, which allows the execution of arbitrary code with “NT Authority\SYSTEM” privileges on Windows clients.

“We have successfully demonstrated that a centralized enterprise management solution like the Symantec Endpoint Protection suite is a critical asset in a corporate network as unauthorized access to the manager can have unforeseen influence on the managed clients,” Code White said.

Symantec patched the vulnerabilities with the release of SEP 12.1 RU6 MP1. All prior versions of SEP 12.1 suffer from the issue.

Since proof-of-concept (PoC) code publicly released, users should update their SEP installations as soon as possible. Those who are unable to update right away can apply mitigations recommended by Symantec. The security firm will also push out IPS signatures to detect and prevent attack attempts leveraging some of the vulnerabilities.